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- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
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Status 
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2a)D This action is FINAL. 2b)l3 This action is non-final. 
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Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
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II) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 

Claim Objections 

Claim 3 is objected to because of the following informalities: "Wherein the user 
of the CDCM" should be "Wherein the user of the CDCM system". Appropriate 
correction is required. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, 
manufacture, or composition of matter, or any new and useful improvement 
thereof, may obtain a patent therefor, subject to the conditions and requirements 
of this title. 

Claim 1 is rejected under 35 U.S.C. 101 because Claim 1 is directed to 
"computer program, logic or language, per se." Generally, functional descriptive 
material, such as a computer program, is statutory when it is stored on a tangible 
computer readable medium. See MPEP § 2106 IV. B.I (a). However, in the present 
application, the specification defines does not define "computer readable medium." A 
computer program listing on a sheet of paper is not considered to provide functionality, 
and is therefore considered to be merely a computer program per se, which is non- 
statutory subject matter. Further, "transmission media" such as "communications links" 
as broadly defined may include non-tangible media such as signals, which are also 
considered non-statutory. When a claim encompasses both statutory and non-statutory 
subject matter, the claim as a whole is directed to non-statutory subject matter. 
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Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a 
foreign country or in public use or on sale in this country, more than one year 
prior to the date of application for patent in the United States. 

Claims 1-4 are rejected under 35 U.S.C. 102(b) as being anticipated by Taylor, 

"Risk Analysis and Probabilistic Survivability Assessment (RAPSA): An Assessment 

Approach for Power Substation Hardening". 

Claim 1 

Taylor discloses a Cyber-Security Damage Assessment and Evaluation Measurement 
(CDAEM) system comprising: 

a set of one through "n" functions or sub-functions each which addresses a operational 
topic, capability or activity which is either required or desired to be performed in the 
accomplishment of the mission, task or objective of an organization, entity or individual, 
where the functions and/or sub-functions by analytical representations either simulates 
or emulates one or more operational topics, capabilities or activities in the context of a 
cyber-crime attack, cyber-terror attack or other man-made or natural disaster (Section 2 
and Section 3); 
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one or more input modules or functions that accept user defined actual or desired 
operational parameters for each function and/or sub-function (page 3, 2 nd paragraph: "A 
key survivability concept is the identification of essential services along with essential 
properties in support of those service. Among the essential properties of interest are 
integrity, confidentiality, availability, reliability or performance requirements" = actual or 
desired operational parameters" and Section 3); 

one or more input modules or functions that accept user defined sensitivity study 
parameters for various functions and/or sub-functions (Section 2: "Survivability: page 3, 
2 nd paragraph: "confidentiality"); 

one or more analytical models which translate operational topics, capabilities or 
activities into dollar definitive representations and transcend the incompatibility of 
mapping an operational environment into a financial model which is related to disaster 
losses and dollar loss potentials and/or exposures ("RAPSA Process Description: Stage 
4" and Section 2: page 4: "Using modeling risks and causal relationships are event and 
fault trees to analyze. . ."); 

one or more output modules or functions which provide definitive dollar representations 
of direct losses, economic losses and damage claim losses based upon the user 
defined actual or desired operational parameters for each functions and/or sub- 
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functions (Section 1 : "economic disruption"; Section 2 and 3). 
Claim 2 

Taylor discloses wherein the user of the CDAEM system defined in claim 1 has the 
capabilities to use the system in a stand alone, single computer or digital device 
configuration, or as part of a configuration that includes a network of computers and 
digital devices (page 1 , Section 1 : "a large network or infrastructure system"). 

Claim 3 

Taylor discloses wherein the user of the CDAEM defined in claim 1has the capabilities 
to use the device in a direct user present at the computer or digital device configuration, 
or as part of remote access configuration which may include wireline, wireless or other 
modes of communications (Table 2 and Table 4 and page 5: "the communication status 
information to corporate computers"). 

Claim 4 

Taylor discloses wherein the user of the CDAEM system defined in claim 1 has the 
capabilities to use the system in a stand alone, single operations mode, or as part of a 
configuration that includes a network or grouping of CDAEM type of systems (Section 4: 
"standalone risk assessment for cyber system security") or other systems methods or 
apparatuses which use modules or function to represent or to addresses a operational 
topic, capability or activity which is either required or desired to be performed in the 
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accomplishment of the mission, task or objective of an organization, entity or individual 
(Section 1-3: "Survivability System Analysis (SSA) focuses on organization's mission to 
withstand attacks.."). 



Double Patenting 

The nonstatutory double patenting rejection is based on a judicially created 
doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the 
unjustified or improper timewise extension of the "right to exclude" granted by a patent 
and to prevent possible harassment by multiple assignees. A nonstatutory 
obviousness-type double patenting rejection is appropriate where the conflicting claims 
are not identical, but at least one examined application claim is not patentably distinct 
from the reference claim(s) because the examined application claim is either anticipated 
by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 
F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 
USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 
1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 
F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 
USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) 
may be used to overcome an actual or provisional rejection based on a nonstatutory 
double patenting ground provided the conflicting application or patent either is shown to 
be commonly owned with this application, or claims an invention made as a result of 
activities undertaken within the scope of a joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may sign a 
terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 
37 CFR 3.73(b). 

Claims 1-4 are provisionally rejected on the ground of nonstatutory obviousness- 
type double patenting as being unpatentable over claims 1-4 of copending Application 
No. 10/737503. Although the conflicting claims are not identical, they are not patentably 



distinct from each other because: 



Application 10/737503 


Instant Application 10/737373 


Claim 1: 


Claim 1: 
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A Cyber-Security Vulnerability Detection 
and Compliance Measurement (CDCM) 
system comprising: 


A Cyber-Security Damage Assessment 
and Evaluation Measurement (CDAEM) 
system comprising: 


a set of one through "n" functions or sub- 
functions each which addresses a 
operational topic, capability or activity 
which is either required or desired to be 
performed in the accomplishment of the 
mission, task or objective of an 
organization, entity or individual, where the 
functions and/or sub-functions by 
analytical representations either simulates 
or emulates one or more, or a group of, 
operational topics, capabilities or activities 
in me coniexi ut d oyuci-uiiiiits auaors, 
cyber-terror attack or other man-made or 
natural disaster; 


a set of one through "n" functions or sub- 
functions each which addresses a 
operational topic, capability or activity 
which is either required or desired to be 
performed in the accomplishment of the , 
mission, task or objective of an 
organization, entity or individual, where the 
functions and/or sub-functions by 
analytical representations either simulates 
or emulates one or more operational 
topics, capabilities or activities in the 
rontpxt of a cvber-crime attack cvber- 
terror attack or other man-made or natural 
disaster; 


one or more incut modules or functions 
that accept user defined actual or desired 
operational parameters for each function 
and/or sub-function; 


one or more input modules or functions 
that accept user defined actual or desired 
operational parameters for each function 
and/or sub-function; 
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one or more input modules or functions 
that aeceDt user defined sensitivitv studv 

1 1 | d I ClwwwIJl UOwl Vt^l II Ivm wwl 1 will V 1 1 jr wlWylJf 

parameters for various functions and/or 
sub-functions; 


one or more input modules or functions 
that accept user defined sensitivitv study 
parameters for various functions and/or 
sub-functions; 


one or more analytical models which 
translate operational topics, capabilities or 
activities into dollar definitive 
representations and transcend the 
incompatibility of mapping an operational 
environment into a financial model, a 
performance model, a compliance model, 
and related system measurement model 
configurations which are required to 
provide measurement results which are 

ronrpcpntsati\/P rvf £inrl Hpfiniti\/P of thp 

system and entity, organization or 
individual which is being measured; 


one or more analytical models which 
translate operational topics, capabilities or 
activities into dollar definitive 
representations and transcend the 
incompatibility of mapping an operational 
environment into a financial model which is 
related to disaster losses and dollar loss 
potentials and/or exposures; 


one or more output modules or functions 
which provide definitive representations of 
performance and compliance of the 


one or more output modules or functions 
which provide definitive dollar 
representations of direct losses, economic 
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system and entity, organization or 
individual based upon the user defined 
actual or desired operational parameters 
fnr pflrh functions and/or sub-functions as 
against a defined standard or as a raw 1 
non-standardized value; 


losses and damage claim losses based 
upon the user defined actual or desired 
operational parameters for each functions 
and/or sub-functions 


one or more output modules or functions 
which provide definitive representations of 
the vulnerabilities and weaknesses which 
were observed in the system and entity, 
organization or individual based upon the 

parameters for each functions and/or sub- 
functions; 




one or more output modules or functions 
which provide the capabilities to report and 
to archive the definitive and/or parametric 
results of the various measurements and 
definitive results provided by these models 
and processing activities; and 
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one or more output modules or functions 




which provide definitive representations of 




the intermediate and local function and/or 




^uh-fiinrtion Derformance Darameters and 




the ability to report and to archive such 




values and parameters. 





It would have been obvious to one of ordinary skill in the art at the time of 
invention to modify the teachings of Application 10/737503 by having one or more 
output modules or functions which provide definitive dollar representations of direct 
losses, economic losses and damage claim losses based upon the user defined actual 
or desired operational parameters for each functions and/or sub-functions, which is 
disclosed in the Instant Application 10/737373. Instead of having multiple intermediate 
reports for the output modules that is claimed in Application 10/737503, can just have 
output modules that the user defined as actual or desired operational parameters such 
as: direct losses, economic losses and damage claim losses which is claimed in 
Application 10/737503 (everything underlined in the table) in the intermediate reports of 
the various measurements and definitive results provided by the models (financial, 
performance, compliance and related system measurement model configurations).- 

Therefore, claim 1 of Application # 10/737503 contains every element of claim 1 
of the. instant application and thus anticipate the claim of the instant application. Claim 
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of the instant application therefore are not patently distinct from the earlier application 
(10/737503) claim and as such are unpatentable over obvious-type double patenting. A 
later application claim is not patentably distinct from an earlier claim if the later claim is 
anticipated by the earlier claim. 



Application 10/737503 


Instant Application 10/737373 


Claim 2: 


Claim 2: 


Wherein the user of the CDCM system 
defined in claim 1 has the capabilities to 
use the system in a stand alone, single 
computer or digital device configuration, or 
as part of a configuration that includes a 
network of computers and digital devices. 


Wherein the user of the CDAEM system 
defined in claim 1 has the capabilities to 
use the system in a stand alone, single 
computer or digital device configuration, or 
as part of a configuration that includes a 
network of computers and digital devices. 



Claim 2 of Application # 10/737503 contains every element of claim 2 of the 
instant application and thus anticipate the claim of the instant application. Claim of the 
instant application therefore are not patently distinct from the earlier application 
(10/737503) claim and as such are unpatentable over obvious-type double patenting. A 
later application claim is not patentably distinct from an earlier claim if the later claim is 
anticipated by the earlier claim. 
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Application 10/737503 


Instant Application 10/737373 


Claim 3: 


Claim 3: 


Wherein the user of the CDCM defined in 
claim 1 has the capabilities to use the 
device in a direct user present at the 
computer or digital device configuration, or 
as part of remote access configuration 
which may include wireline, wireless or 
other modes of communications. 


Wherein the user of the CDAEM defined in 
claim 1 has the capabilities to use the 
device in a direct user present at the 
computer or digital device configuration, or 
as part of remote access configuration 
which may include wireline, wireless or 
other modes of communications. 



Claim 3 of Application # 10/737503 contains every element of claims 3 of the 
instant application and thus anticipate the claim of the instant application. Claim of the 
instant application therefore are not patently distinct from the earlier application 
(10/737503) claim and as such are unpatentable over obvious-type double patenting. A 
later application claim is not patentably distinct from an earlier claim if the later claim is 



anticipated by the earlier claim. 


Application 10/737503 


Instant Application 10/737373 


Claim 4: 


Claim 4: 


Wherein the user of the CDCM system 


Wherein the user of the CDAEM system 


defined in claim 1 has the capabilities to 


defined in claim 1 has the capabilities to 1 


use the system in a stand alone, single 


use the system in a stand alone, single 
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operations mode, or as part of a 


operations mode, or as part of a 


configuration that includes a network or 


configuration that includes a network or 


grouping of CDCM type of systems. 


grouping of CDAEM type of systems or 




other systems methods or apparatuses 




which use modules or function to 




represent or to addresses a operational 




topic, capability or activity which is either 




required or desired to be performed in the 




accomplishment of the mission, task or 




objective of an organization, entity or 




individual. 



Claim 4 of Application # 10/737503 contains every element of claim 4 of the 
instant application and thus anticipate the claim of the instant application. Claim of the 
instant application therefore are not patently distinct from the earlier application 
(10/737503) claim and as such are unpatentable over obvious-type double patenting. A 
later application claim is not patentably distinct from an earlier claim if the later claim is 
anticipated by the earlier claim. 

This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 



Application/Control Number: 10/737,373 
Art Unit: 2139 



Page 14 



Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. , 

Jahn (US 2004/001 9803 A1 ) teaches a software facility for evaluating and 
reporting security vulnerabilities on a computer network. 

Bunker, V et al. (US 2003/00561 16 A1 ) teaches a real-time network security 
vulnerability assessment tests, possibly complete with recommended security solutions. 
External vulnerability assessment tests can emulate hacker methodology in a safe way 
and enable study of a network for security openings, thereby gaining a true view of risk 
level without affecting customer operations. 

Bunker, V et al. (US 2003/0028803 A1) teaches a real-time network security 
vulnerability assessment tests, possibly complete with recommended security solutions. 
External vulnerability assessment tests can emulate hacker methodology in a safe way 
and enable study of a network for security openings, thereby gaining a true view of risk 
level without affecting customer operations. 

Magdych et al. (US 6, 546, 493 B1 ) teaches a system, method and computer 
program product are provided for scanning a source of suspicious network 
communications. A scan that may include a risk assessment scan for identifying 
vulnerabilities at the source. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kari L. Schmidt whose telephone number is 571-270- 
1385. The examiner can normally be reached on Monday - Friday: 7:30am - 5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the • 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




